DATA SHARING AGREEMENT

JOBSTREET.COM PHILIPPINES INC. (JSPH) and Creavalue Prime Holdings, Inc.

hereinafter individually referred to as “Party” and collectively as “Parties”. have agreed to share Personal Data with
each party for the purpose of candidate hiring and selection.

For purposes of the Agreement:

1. “Personal Data” means personal information and sensitive personal information as these terms are defined
in Republic Act No. 10173 or the Data Privacy Act of 2012, as this law may be amended from time to time
(DPA) which are transferred or provided, or to which the DISCLOSING PARTY gives RECIPIENT
PARTY access, to the RECIPIENT PARTY, or which the RECIPIENT PARTY otherwise obtains in
connection with the Agreement. The Personal Data to be shared by DISCLOSING PARTY (through
physical/electronic means) are as follows:

DISCLOSING PARTY: JSPH

DATA SUBJECT: CANDIDATES

Type of Parties
Personal Granted Estimated Frequency
S/N Personal Data Objective
Data /s Access and Volume of Access

Julie Dian R. Caminong  Julie Dian R.

 Santa Rosa City, Laguna Caminong
 julie.caminong@bvmanil - Human
To reach out Resources
a.ph to the Officer
PI  0995-653-1599
1. applicants
 Abba Borgoños (General  Elaine Dela
through their
Manager, Creavalue Punta
Prime Holdings, Inc.) contact - Admin.
 4’11 details Specialist
 47kgs

Elaine A. Dela Punta

 Pasig City
 elaine.delapunta@bvmani Frequency: Every 2-3
la.ph
 0977-636-1416 hours/day
 Abba Borgoños (General
Access: 2 users
Manager, Creavalue
Prime Holdings, Inc.)
 5’3
 50kgs

1
 Julie Dian R. Caminong
 27
 Single
 College Graduate
 Working
Experience
 Photo To assess the
 Languages qualifications
SPI spoken of the
2.
 Religion candidates
 Health Data for a certain
 Educational data position
(CV’s/Resume’s; Work
history; Educational
history;
Academic

2
 transcripts;
Trainings attended)
 Driver’s license
 Profession
license
information
 Other information
associated with a
resume for job
applications

JSPH DPO
DISCLOSING PARTY: 2022-04-28 11:27:02
DATA SUBJECT: --------------------------------------------
JSPH DPO
Partner's Complete
2022-04-28 11:13:53 Company Name or Alias
Type of Parties Note: This portion is OPTIONAL. If the Partner
--------------------------------------------
Personal Granted believes
Put Estimatedemployee’s
thethat their
Partner's data subjectdata
Frequency nameare(i.e.
being
Contact
S/N Personal Data Objective/s processed due to this subscription/partnership,
Person)
Data Acess and Volume of Access
this may be filled in. Otherwise, put N/A.
Name To coordinate JSPH DPO
2022-04-28 11:16:12
Address with the JSPH on Frequency:
JSPH DPO
--------------------------------------------
1. PI Email Address managing the 2022-04-28 11:15:46
No, of user access and how often it will be accessed
Telephone No. subscription Access: users
--------------------------------------------
per certain period of time (e.g., per day, per
Put the user/s
month, etc.) who will access the data. If too
many, position title/team name will suffice. (e.g.,
K/AM, CC, O2C, etc.)

2. “Data Privacy Laws” means the DPA, its implementing rules and regulations, and relevant issuances of the
National Privacy Commission, as well as any other privacy laws applicable to the RECIPIENT PARTY.

3. “Data Subject” shall have the same meaning as set forth in the Implementing Rules and Regulations of the
DPA, as may be amended and supplemented from time to time.

I. Representations and Warranties of DISCLOSING PARTY in respect of Data Privacy Laws.

DISCLOSING PARTY represents and warrants to the RECIPIENT PARTY that:

a. insofar as Personal Data collected, or in any manner obtained, by DISCLOSING PARTY may be
transferred to, shared with, or in any manner may be received by, RECIPIENT PARTY pursuant
to this Agreement, appropriate and valid consents from the relevant Data Subjects, whenever
necessary as provided for under the Data Privacy Laws, have been or will be obtained by
DISCLOSING PARTY;

b. it is compliant with Data Privacy Laws; and

c. it has or will provide the following information to the Data Subject before the Personal Data is
shared with RECIPIENT PARTY:

i. Identity of the personal information controllers or personal information processors

that will be given access to the personal data;

3
 ii.Purpose of data sharing;
iii.Categories of personal data concerned;
iv. Intended recipients or categories of recipients of their personal data;
v. Existence of the rights of data subjects, including the right to access and
correction, and the right to object;
vi. Other information that would sufficiently notify the data subject of the nature and
extent of data sharing and the manner of processing.
II. Representations and Warranties and undertakings of RECIPIENT PARTY in respect of Data Privacy
Laws.

RECIPIENT PARTY represents and warrants that it is compliant with Data Privacy Laws, and has adequate
safeguards for data privacy and security of the Personal Data, and

a. It shall keep Personal Data confidential, and shall not disclose, publish, release, transfer or
otherwise make available, directly or indirectly, this data, in any form to, or for the use or benefit
of, any person or entity, without obtaining DISCLOSING PARTY’s written consent. RECIPIENT
PARTY shall, however, be permitted to disclose relevant aspects of Personal Information to its
officers, directors, employees, and representatives, to the extent that such disclosure is not restricted
by this Agreement, or any applicable law, and only to the extent that such disclosure is reasonably
necessary for the performance of the Services, and RECIPIENT PARTY’s duties and obligations
under this Agreement; provided, however:

i. RECIPIENT PARTY shall be responsible for ensuring that such officers, directors,
employees, and representatives abide by the provisions of this Agreement on
confidentiality and data protection;

ii. If RECIPIENT PARTY discloses Personal Data to a third party with

DISCLOSING PARTY’s consent, RECIPIENT PARTY shall ensure that the third
party is subject to the same obligations of confidentiality and data protection as set
out in this Agreement

iii. If RECIPIENT PARTY is required to make a disclosure under applicable law or

pursuant to a lawful order of a court or government agency, the disclosed data
shall retain its confidential status for all other purposes, and RECIPIENT PARTY
undertakes that prior to any disclosure made under that item, it shall notify
DISCLOSING PARTY of RECIPIENT PARTY’s obligation to make the
disclosure and the basis thereof, within such time as shall provide DISCLOSING
PARTY with reasonable opportunity to object to the disclosure and/or to seek a
protective order against the disclosure.

RECIPIENT PARTY shall be responsible for any breach of confidentiality or privacy, or of any of
the terms in this schedule and/or Agreement, arising from the acts or omissions of RECIPIENT
PARTY’s officers, directors, employees, consultants, representatives and agents, and any third
party to which RECIPIENT PARTY may disclose or outsource Personal Data.

d. It shall uphold the rights of the Data Subjects as required by Data Privacy Laws. The processing it
will undertake shall adhere to the data privacy principles laid down in Data Privacy Laws. Hence,
upon request of DISCLOSING PARTY, it shall assist DISCLOSING PARTY in responding to
requests by data subjects whose Personal Data is being processed, or that had been processed, by
RECIPIENT PARTY, such data subjects are exercising their rights under Data Privacy Laws and
assist DISCLOSING PARTY to comply with Data Privacy Laws.

e. Upon knowledge of or upon reasonable belief that a Personal Data Breach or a Security

4
 Incident relating to or affecting Personal Data has occurred, RECIPIENT PARTY shall notify
DISCLOSING PARTY of such matter, within a timely manner in order to allow the
DISCLOSING PARTY to comply with applicable notification requirements under Data Privacy
Laws. Notice to the DISCLOSING PARTY must be in writing and should setting out all the
information that would be necessary for or relevant to the DISCLOSING PARTY’s notification
obligations under Data Privacy Laws. The RECIPIENT PARTY shall give timely and sufficient
access to its records and personnel to the DISCLOSING PARTY and its advisers, preserve the
relevant records and information, and otherwise exert best efforts to assist the DISCLOSING
PARTY to comply with its obligations in relation to Data Privacy Laws on Personal Data
Breaches and Security Incident.

f. RECIPIENT PARTY shall correct, delete or block access to Personal Data promptly upon request
by DISCLOSING PARTY to ensure that the Personal Data is correct and accurate.

g. It shall allow DISCLOSING PARTY to audit the RECIPIENT PARTY’s compliance with its
undertakings under the Services Agreement and obligations under Data Privacy Laws, as well as
assist DISCLOSING PARTY in conducting or responding to audits of DISCLOSING PARTY’s
own compliance with Data Privacy Laws. In this regard, RECIPIENT PARTY shall cooperate with
DISCLOSING PARTY and its representatives by providing information and allowing inspections
of its systems, as may be necessary. In the conduct of such audit, RECIPIENT PARTY shall
provide to DISCLOSING PARTY and to DISCLOSING PARTY’s internal and external auditors
and other such representatives as DISCLOSING PARTY may reasonably designate from to time
access during normal business hours and after prior notice for the purpose of performing audits
and inspections of DISCLOSING PARTY, to verify the integrity of Personal Data, to examine the
systems that process, store, support and transmit such data, and to examine RECIPIENT PARTY’s
performance of the Services and compliance with its undertakings and obligations under the Data
Privacy Laws. RECIPIENT PARTY shall further provide all reasonable cooperation to
DISCLOSING PARTY’s auditors, inspectors, regulators and representatives.

III. Liability and Indemnification

Each Party, which causes a breach of this Agreement, whether wilfully or through its gross negligence,
agrees to indemnify, hold harmless and defend the other Party, and its employees, officers, directors,
agents, successors and assigns from and against damages, penalties, losses, liabilities, judgments,
settlements, awards, and costs and expenses of any kind or nature, including reasonable attorneys' fees,
suffered or incurred in connection with any claims, demands, causes of action, suits, proceedings or other
actions, arising from such wilful breach or gross negligence.

IV. Duration of this Agreement

Unless extended by mutual written consent of both Parties hereto, this Agreement shall expire in five (5)
years from the date hereof and shall be in effect while the RECIPIENT PARTY has access to the Personal
Data shared by the DISCLOSING PARTY. The RECIPIENT PARTY shall promptly inform the
DISCLOSING PARTY in case of any changes in the parties to be granted access, and this Agreement shall
then be reviewed to take into account the sufficiency of the safeguards implemented for data protection and
any data breach or security incident that may have occurred affecting the shared data.

V. Retention of Personal Data

Personal Data should only be processed for as long as is necessary. Processing of Personal Data should be
limited accordingly and for a period no longer than the term of this Agreement. Specific justification for
processing of Personal Data beyond said period is required.

5
 VI. Return or Destruction of Personal Data

Upon completion of the purpose, expiration or termination of the Contract or this Agreement, or upon
request of DISCLOSING PARTY, whichever is applicable, RECIPIENT PARTY shall perform the
following within thirty (30) days from the date of project completion, expiration or termination:

a. Return all Personal Data of Data Subjects in any recorded form including any other property,
information, and documents provided by the DISCLOSING PARTY;

b. Destroy all copies it made of Personal Data and any other property, information and documents. For
print out or other tangible formats, the document will be shredded. For data in electronic form, the
document must be deleted, wiped, overwritten or otherwise make it irretrievable; and

c. Deliver to DISCLOSING PARTY a certificate (using the template provided) confirming RECIPIENT
PARTY’s compliance with the return or destruction obligation under this section.

VII. Governing Law and Venue

This Agreement shall be governed by and construed in accordance with the laws of the Philippines, without
regard to any conflicts of law rules. Exclusive jurisdiction over and venue of any suit arising out of or
relating to this Agreement shall be in the courts of Metro Manila, Philippines. The Parties hereby consent
and submit to the exclusive jurisdiction and venue of those courts.

VIII. Electronic Signatures

This Agreement may be executed electronically or by way of electronic signature and such electronic
signatures shall be deemed original signatures, have the same force and effect as manual signatures and
binding upon the Parties. If this Agreement shall be executed electronically, the best evidence of this
Agreement shall be a copy of this Agreement bearing an electronic signature, in portable document format
(.pdf) form, or in any other electronic format intended to preserve the original graphic and pictorial
appearance of a document.

IN WITNESS WHEREOF, the Parties have hereunto affixed their signatures on the date and at the place
written above.

JOBSTREET.COM PHILIPPINES INC: :

JSPH DPO
2022-04-28 11:17:15
--------------------------------------------
Partner's Complete Company Name

RYAN TORDESILLAS Name:

HEAD OF SALES Position Title: JSPH DPO
2022-04-28 11:18:11
Date Signed: --------------------------------------------
Partner's Authorized Signatory signature and details

6
 Signed in the Presence of:

LESLY ANN ARBAN Name: JSPH DPO

DATA PRIVACY OFFICER
dataprotectionofficer@jobstreet.com
Position Title: 2022-04-28 13:25:33
Email Address: --------------------------------------------
Partner's DPO signature and details.
Date Signed: Note: Witness on this contract should be the
Partner's Data Protection Officer (DPO) or anyone
who is in charge to data privacy compliance. If
none, the default DPO will be the Head of the
company as per DPA.